From b57a3394d7c6d881b6bbd63e87cc3455189ddd3f Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Mon, 2 Feb 2026 01:14:28 +0000 Subject: [PATCH] feat: Add dependency and supply chain audit report This commit introduces a comprehensive security audit of the project's dependencies and supply chain. The findings are documented in the `AUDIT-DEPENDENCIES.md` file, which covers: - A detailed analysis of direct and transitive dependencies for both Go and npm. - An assessment of lock file usage and best practices. - A review of supply chain risks, including the build and release processes. - A vulnerability scan using `govulncheck`, which identified several issues in the Go standard library. In addition to the audit report, this commit also adds a `package-lock.json` file to the `npm/poindexter-wasm` directory to ensure reproducible builds. Co-authored-by: Snider <631881+Snider@users.noreply.github.com> --- AUDIT-DEPENDENCIES.md | 68 +++++++++++++++++++++++++++ npm/poindexter-wasm/package-lock.json | 13 +++++ 2 files changed, 81 insertions(+) create mode 100644 AUDIT-DEPENDENCIES.md create mode 100644 npm/poindexter-wasm/package-lock.json diff --git a/AUDIT-DEPENDENCIES.md b/AUDIT-DEPENDENCIES.md new file mode 100644 index 0000000..434cd24 --- /dev/null +++ b/AUDIT-DEPENDENCIES.md @@ -0,0 +1,68 @@ +# Dependency and Supply Chain Audit Report + +## 1. Dependency Analysis + +### 1.1. Direct Dependencies + +- **Go:** The project uses Go version `1.23`, as specified in the `go.mod` file. There are no direct Go module dependencies. +- **npm:** The WebAssembly component of the project, located in `npm/poindexter-wasm`, has no direct npm dependencies listed in its `package.json` file. + +### 1.2. Transitive Dependencies + +- **Go:** Since there are no direct dependencies, there are no transitive Go dependencies. This was confirmed by running `go mod why -m all`. +- **npm:** An `npm audit` was performed, and it confirmed that there are no transitive dependencies. + +### 1.3. License Compliance + +- The project itself is licensed under the MIT license. +- Since there are no external dependencies, there are no third-party licenses to track or comply with. + +## 2. Lock Files + +- **Go:** The `go.mod` file is present, but since there are no dependencies, a `go.sum` file is not generated. +- **npm:** A `package-lock.json` file has been added to the repository to ensure reproducible builds, although there are currently no dependencies. + +## 3. Supply Chain Risks + +### 3.1. Package Sources + +- **Go:** The project does not use any external Go modules. +- **npm:** The project does not use any external npm packages. + +### 3.2. Build Process + +- The build process is managed by a `Makefile` and automated with GitHub Actions. +- The CI/CD pipeline, defined in `.github/workflows/ci.yml` and `.github/workflows/release.yml`, is comprehensive and includes: + - Linting (`golangci-lint`) + - Vetting (`go vet`) + - Testing (including race detection) + - Code coverage analysis + - Vulnerability scanning (`govulncheck`) + - WebAssembly build and smoke testing +- Releases are automated using `goreleaser`, which helps ensure a consistent and reproducible build process. + +## 4. Vulnerability Analysis + +A vulnerability scan was performed using `govulncheck`. The scan identified 13 vulnerabilities in the Go standard library for the version used in this project (`1.23`). + +### 4.1. Identified Vulnerabilities + +| CVE ID | Severity | Description | Remediation Priority | +|-----------------|----------|-----------------------------------------------------------------------------|----------------------| +| `GO-2026-4340` | High | Handshake messages may be processed at the incorrect encryption level | High | +| `GO-2025-4175` | Medium | Improper application of excluded DNS name constraints | Medium | +| `GO-2025-4155` | Medium | Excessive resource consumption when printing error string for host cert | Medium | +| `GO-2025-4013` | Medium | Panic when validating certificates with DSA public keys | Medium | +| `GO-2025-4012` | Medium | Lack of limit when parsing cookies can cause memory exhaustion | Medium | +| `GO-2025-4011` | Medium | Parsing DER payload can cause memory exhaustion | Medium | +| `GO-2025-4010` | Medium | Insufficient validation of bracketed IPv6 hostnames | Medium | +| `GO-2025-4009` | Medium | Quadratic complexity when parsing some invalid inputs | Medium | +| `GO-2025-4008` | Medium | ALPN negotiation error contains attacker controlled information | Medium | +| `GO-2025-4007` | Medium | Quadratic complexity when checking name constraints | Medium | +| `GO-2025-3751` | Medium | Sensitive headers not cleared on cross-origin redirect | Medium | +| `GO-2025-3750` | Low | Inconsistent handling of O_CREATE\|O_EXCL on Unix and Windows | Low | +| `GO-2025-3749` | Low | Usage of ExtKeyUsageAny disables policy validation | Low | + +### 4.2. Remediation + +The identified vulnerabilities are all in the Go standard library. The recommended remediation is to update the Go version to the latest stable release, which includes patches for these vulnerabilities. Given that some of these vulnerabilities are rated as "High" severity, this should be a high-priority action. diff --git a/npm/poindexter-wasm/package-lock.json b/npm/poindexter-wasm/package-lock.json new file mode 100644 index 0000000..d53f67c --- /dev/null +++ b/npm/poindexter-wasm/package-lock.json @@ -0,0 +1,13 @@ +{ + "name": "@snider/poindexter-wasm", + "version": "0.0.0-development", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "@snider/poindexter-wasm", + "version": "0.0.0-development", + "license": "MIT" + } + } +}